Re: [IETF-PKIX] OCSP: Method of Identifying Certificates

[dpkemp@xxxxxxxxxxxxxx (David P. Kemp)]

> From: Stephen Kent <kent@bbn.com>
>
> When we encode anything as a DN it becomes part of the DN space, for which
> ITU claims responsibility, but for which we lack an authoritative
> registrar.


I see.

The question in my mind remains "can X.509 be used outside the context
of the X.500 directory?".  Or, does the IETF, which defines the syntax
of Name, RDNSequence, and RelativeDistinguishedName in PKIX Part 1,
somehow have a sub-rosa importation of the semantics of Directory
(or Distinguished) Names from X.500, including a requirement to use
the ITU as a registrar?

Note that Part 1 defines DistinguishedName ::= RDNSequence,
but DistinguishedName is *never* used.  The subject and issuer
fields of Certificate are Name, not DistinguishedName.  The syntax
is the same, but the argument can be made that the IETF has the right
to define its own attributes which may appear in RDNSequence, and
to serve as the registrar for it's own namespaces.

I would put forth the claim that a Name which began with "C=" would be
registered under the ITU, a Name which began with "DC=" would be
registered under the IETF, and a Name which began with a private
attribute "FOO=" would be registered under the organization which owns
the attribute's OID.

Dave Kemp